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Method, gateway and system for transmitting data betvy^een a device 
in a public network and a device in an internal network 

5 

The present invention generally is related to data transmission via IP based public 
networl<s and particularly to data transmission via the intemet to an internal device of 
an internal networi< upon using asymmetric keys. 

10 Electronic data or messages transmitted via public networl<s like the intemet are 
typically encrypted in order to preserve the privacy of the transmitted information. 
Preferably, public key systems are used In this regard. By encrypting the transmitted 
information with the public key of a destination device, it can be guaranteed that only 
the destination device, which securely stores the corresponding private key, can 

15 decrypt the transmitted information by means of the private key. 



In the internet the public key of a user may be provided by means of a public key 
server. The public key server stores the public key of the user and for example a 
certificate of the public key, which is issued for the public key by a trusted third party. 
20 Accordingly, a sender of a message to the user may request the user's public key or 
the corresponding certificate, for checking the validity of the public key, fr-om the public 
key server. Public key servers, certification authorities and further components provide 
a system also referred to as a public key infirastructure (PKI). 



25 For transmitting information over the intemet the sender further needs the unique IP 
address of the destination. The number of worid wide IP addresses however is limited 
and becomes a scarce resource due to the rising number of participants in the 
intemet. Moreover, a user publishing his IP address becomes open to a variety of 
possible attacks. 

30 

As a consequence. IP addresses are usually not published, but exchanged upon 
request only. Thereby the number of steps for establishing a secure communication 
path via the intemet increases significantly. For example, when using temporarily 
assigned IP addresses, such IP addresses initially have to be communicated and 
35 administered, then validated for a secure communication and finally prevented from 
being hijacked by third parties. 



EP 1 035 702 A2 discloses a system for secure communication between a mobile 
hiost and a device within an internal network, wliicli prevents the hijacking of IP 
addresses. A gateway, having a secure port coupling the gateway to a secure 
network and an Insecure port coupling the gateway to an insecure or public network, 
5 provides a list of secure IP addresses for use on the public network. The IP address 
of the mobile host is assigned to a "secured address". Data packets received in the 
gateway are analysed, if they are received from a secured address. The gateway then 
transmits the received data to the destination address with the secured address as a 
sender's address. Accordingly, the potentially insecure IP address of the sender is 
10 neither known nor used within the secure network. 

It is the object of the present invention to provide a gateway, a public key server, a 
system as well as a method for transmitting data between a remote device in a public 
network and an internal device in an intemal network, which are particularly improved 
15 with regard to the number of required world wide IP addresses. 

This object is achieved by the subject matters of the independent claims. Prefen-ed 
embodiments of the invention are described in the dependent claims. 

It is a first aspect of the present invention that the number of IP addresses may be 
reduced when using a gateway forwarding data to an intemal device based on a 
public key information included iin the transmitted data for identifying the intemal 
device. As a further aspect of the present invention the process of establishing a 
secure communication path is improved by storing the gateway address together with 
public keys or certificates thereof in a public key server and providing the stored 
information upon request. 



According to the present invention, a gateway for connecting a public network to an 
intemal network comprises a control unit for controlling a transmission of incoming 
and/or outgoing data between a remote device and the public network and an internal 
device and the intemal network. Furthermore, the gateway comprises a public port 
connected to the public networi< and an Intemal port connected to the intemai network 
as well as storage units storing a list of public key identifiers and respectively 
associated intemal network addresses of internal devices. Moreover, the control unit 
is adapted for identifying a destination of the Incoming data, which are addressed to a 
public network address of the gateway, by determining an intemal network address of 




the internal device based on public key information included in the incoming data and 
the list of public key identifiers and associated internal network addresses; 

In a corresponding method for transmitting Incoming and/or outgoing data, the method 
performed in the gateway of the internal device comprises the steps of: receiving data 
transmitted between the remote device and the gateway of the intemal device, 
forwarding the incoming data to the internal device, storing a list of public key 
identifiers and associated internal network addresses and identifying a destination of 
the incoming data which are addressed to public network address of gateway, by 
determining an intemal network address of the internal device based on public key 
Information included in the incoming data and the stored list of public key identifiers 
and associated intemal network addresses. 

Hence, for a plurality of devices connected to the intemal network only a single IP 
address is required. Moreover, such a solution avoids any additional identifiers or 
data fields, but may use existing data fields or information of a PKI system. Finally, 
communication paths may be established for any remote user and not only for 
specifically trusted remote users, because the gateway may control or limit the 
transmission of data. 

In an Improved embodiment the gateway further comprises an encryption unit for 
encrypting outgoing data and/or a decryption unit for decrypting incoming data. 
Accordingly, independently of an encrypted or unencrypted status of the data to be 
transmitted to the intemal device, data received or sent via the public interface port 
may be additionally encrypted. 

It is particularly advantageous, if the gateway Is further adapted to store or delete an 
entry In the list of public key identifiers upon request This enables a user associated 
to the public key to either work at different intemal devices or to even register at 
different gateways e.g. from day to day. 

Furthermore, a system according to the Invention comprises the gateway described 
above and a remote device addressing data intended for an intemal device of the 
internal network of the gateway to the public network address of the gateway. 
Accordingly, such a system may be Implemented with a common remote device by 
software adaptations in the remote device only. 




Moreover, according to a preferred embodiment of the invention the remote device 
stores a piurality of gateway addresses for the destinatfoh and selects the public 
network address of the gateway from the list of gateway addresses in accordance with 
predefined first gateway determination rules. By predefining one of a plurality of 
gateways for a specific case, the flexibility or mobility of the user defining such rules Is 
significantly improved. 

Further according to the present Invention there is provided a public key Information 
server storing at least one public network address of a destination gateway and 
providing this public network address as a destination address upon request from a 
device In the public network. This kind of public key server significantly improves the 
process of establishing an encrypted communication path between devices in the 
public network and the internal network. The public key server may be provided within 
a system according to the Invention, but is generally independent of implementation 
details of the addressed gateway. 

in an advantageous embodiment of the public key server, the same is adapted to 
store a plurality of gateway addresses for at least one destination and selects the 
public network address of the gateway from the list of gateway addresses in 
accordance with second predefined rules. This allows the user to register his 
communication preferences at one central point. l\/loreover, the registered information 
may be provided selectively in accordance with the entity requesting the information. 

In the following a detailed description of embodiments for the present invention are 
described with reference to figures illustrating: 

Figure 1 a system including a gateway of an internal network, a remote device 
and a public key information server; 

Rgure 2 functional units of a remote device; 

Figure 3 functional units of a public key information server; 



Figure 4 



functional units of a of a gateway; 



Figure 5 a table storing a list of public key identifiers associat^ci to internal 
addresses; 

Figure 6 a table storing a list of existing connections provided by a gateway; 

Figure 7 a table storing user IDs associated to public key IDs; 

Figure 8 a table storing gateway IDs and connesponding gateway IP addresses; 

Figure 9 a table storing user IDs and associated gateway IDs for different cases; 
and 



Figure 10 a table storing gateway determination rules for the different cases 
specified in the table of Figure 9. 



Figure 1 illustrates a system comprising a remote device 11, a gateway 12, an internal 
device 13 arranged in an intemal networl^, the intemet 14 and a public key server 15. 
The remote device 1 1 is a data processing device, for example a computer, which is 
connected to the intemet 14. Furthermore, the intemal device 13 is connected to the-, 
intemet 1 4 via the gateway 1 2 of the internal network. 

The remote device 11 sends data to be transmitted to the intemal device 13 via the 
internet 14 towards the gateway 12 by using the IP address of the gateway 12. The 
transmitted data comprise unique public key information such as a public key identifier 
of the intemal de>^ce'8 public key. 



The gateway 12 stores a list of public key identifiers and associated intemal network 
addresses for identifying a destination of the incoming data which are addressed to 
his public network address. Accordingly, the gateway 12 detemnines an intemal 
network address of the intemal device 13 based on the public key information 
included in the incoming data as welt as the stored list of public key identifiers and 
associated internal network addresses. Hence, the gateway 12 extracts the relevant 
public key information from the received data and refers to the stored list in order to 
determine the destination of the received data. Rnaliy, the incoming data are 
forwarded to the intemal device 13 by the gateway 12. 




Hence, only the gateway needs a unique world wide IP address. The remote device or 
sender will always connect to the gateway, which fonwards the connection to the 
destination. 

5 It Is noted that the public key may be a public key of a device or a public key of a user 
of this device. The transmitted data may also comprise public key information 
Identifying the remote terminal or Its user as the sender of the data. Optionally, the 
transmitted Infomnation may be encrypted with the public key of the Internal device 13 
and/or the gateway 12. The Internal device 13 may be any kind of data processing 
10 device, preferably a personal computer or an Information server such as an FTP 
- - server. 

Furthermore, although the transmission of electronic data or messages is preferably 
described in the direction from the remote device to the internal device, as it is 
15 apparent for the skilled person, electronic data or messages may as well be 
transmitted vice versa. 

Moreover, If a user of the Internal device 13 is requested to communicate with a user 
of the remote device 11, the gateway provides a connection path for a corresponding 
20 2-way communication between the devices. The accordingly transmitted data 
correspond to messages of the users. 

The remote device 11 may store the relevant Infomnation, for conrectly addressing the 
data to the gateway, In Its storage means as illustrated in more detail below with 

25 reference to Figures 7-10. However, the required infomnation may ias well be 
provided by the public key server 15. Remote devices Initially establishing a 
communication path typically request some kind of public key Infomnation about the 
internal device 13 from the public key server 15. For example, they request the public 
key of the intemal device 13 and/or a corresponding certificate, issued by a trusted 

30 third party such as a certification authority, in order to verily the public key of the 
Intemal device 13. 

An intemal device in the internal network may still have and use a world wide IP 
address, the gateway then forwards such directly addressed information to the 
35 corresponding intemal device. 




In the following, the general structure of the devices illustrated in Fig. 1 is described 
with respect to Fig. 2 to 4. 

Figure 2 illustrates the basic components of a remote device. • The remote device 
typically comprises a CPU 21 , a public network interface unit 22, user input/output 
units 23, primary storage means 25, secondary storage means 24 as well as an 
optional cryptographic unit 26. The primary storage means 25 may include RAM, 
EEPROM and ROM, whereas the secondary storage means may be formed by a hard 
disk, magnetic disk or optical disic drive. ., 

An operating system and additional software, adapted to control the steps required in 
a system according the present Invention, is stored in the storage means. 24,25.' 
Accordingly, a user enters a request for data transmission via the user Input/output 
units 23, which typically comprise monitor, keyboard and mouse. The user request 
triggers the remote device to transmit data to a device in an internal network via the 
public networi^: interface unit 22, which connects the remote device to the public 
network. 

The cryptographic unit 26 perfomns any required encryption, decryption, signature, 
signature verification or authentication processes. The cryptographic unit 26 may 
however as well be implemented in software stored in one of the storage means 24, 
25. Additionally, the tables illustrated in the Figures 7-10 may be stored in the storage 
means 24,25. As it will become apparent in more detail firom the following, the 
remote device may request required information such as public keys, certificates 
and/or the gateway address of the internal device firom a public key server. 

Figure 3 illustrates components of the public key server 15 illustrated in Rgure 1. 

The public key server of Figure 3 comprises a CPU 31, a public key request interface 
32 connected to the Internet a gateway infomiation input unit 33 also connected to 
the intemet, operator input/output units 34 and storage means 37 for public key 
information. 

Preferably, gateway IP addresses, which are intended to be used as a corresponding 
destination addresses, are stored in a separate gateway Information storage means 
36. Each gateway IP address is associated with at least one public key of a user or 
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device stored in public key storage means 37. Gateway determination rules as 
illustrated In Fig. 9, 10 may also be stored in tlie gateway information storage means 
35. Separately stored gateway IP address information enables a user to flexibly lalter 
or administer the stored Information via input through the gateway infonnation input 
unit 33. Due to separate storage the public key remains unchanged and thus for 
example a reissue of a corresponding certificate is avoided. 



(However, the gateway IP address information may as well be included in the stored 
public key Information within the public key storage means 37 or even within a 
certificate for public keys, such as a X.509 certificate, stored in certificate storage 
nfieans36. 

Upon request the public key server provides a gateway IP address and optionally 
even the required public key Information to be transmitted for identification of the 
destination of transmitted data. Requests such as a common request for a public key 
or a certificate is received via the public key request interface 32. The requested 
information is identified and transmitted to the requesting party in response to the 
received request In response to the common request the gateway IP address is either 
transmitted together with the requested information or separately. Moreover, the 
gateway IP address may as well be transmitted upon receiving an explicit request for 
this information. 



Figure 4 illustrates basic components of a gateway according to the invention. 

The gateway comprises a public interface port (or unit) 44 connecting the gateway to 
the Internet and an internal interface port (or unit) 45 connecting the gateway to the 
internal network. Furthermore, a control unit 41 controls the transmission of incoming 
and/or outgoing data between a remote device of the public network and an internal 
device in the internal network. Storage means 42 store a list 421 of public key 
identifiers and respectively associated internal network addresses of internal devices. 

The control unit 41 Identifies the destination of incoming data, which are addressed to 
the public network address of the gateway, by referring to the stored list 421 based on 
public key information included in the incoming data. Thereby the internal network 
address of the destination is determined. 




Furthermore, the gate>Afay Hlustrated in Figure 4 comprises an encryption/decryption 
unit 43 and an authentication unit 46. The encryption/decryption unit 43 enables the 
gateway to decrypt received incoming data compieteiy or partially, and to encrypt 
outgoing data accordingly. The authentication unit 46 enables, the gateway to approve 
authenticity of transmitted data, public keys and/or certificates and to provide gateway 
authentication data indicating authenticity of data, public keys and/or certificates of the 
gateway. As not Illustrated in Figure 4, storage means 42 may additionally store public 
keys of third parties such as remote devices. 

The data may be transmitted via the public network in one of the following modes: 
encrypted with the public keys of the gateway and the intemai device, encrypted with 
the public key of the gateway or the intemai device or even unencrypted. If preferred, 
the public key information identifying the destination of the transmitted data may be 
encrypted with the public key of the gateway to hide even the identity of the recipient 
within the public network. The data transmitted to the gateway for example comprise: 
the public key information or identifier, control data required for transmission in the 
public network and message date as intended to be send to the user or device. 

The storage means 42 also store a connection list 422, access control rules 423 and a 
user register 424. An e^dstlng or newly-established connection between the remote .: 
device and the intemai device is stored in the connection list 422, which will be 
described in more detail below with reference to Figure 6. 

The user register 424 holds a list of users presently connected to the intemai network 
or users having actively registered or unregistered with the gateway. Hence, a user 
may register with the gateway when amving at his office in the morning and unregister 
when leaving for lunch. The list of public key identifiers and associated intemai 
network addresses may comprise an altemative intemai address for fonvarding 
transmitted data for the user, which is used in case he is cunnently not registered with 
the intemai network. The altemative intemai address could for example be the intemai 
address of his colleague or a voicemail-box. 

The access control rules 423 stored in the storage means 42 of the gateway comprise 
rules with regard to which type of connections may be estebllshed or even denied, for 
example, depending on the type of connection, the sending or the receiving party. 
According to one rule a ftp-server may for example receive data to be stored on the 
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ftp-server from any remote user. Additionally, the gateway may for example only 
establish connections for predefined users, predefined destinations or after 

authentication of remote devices only. IVIoreover, tiie access rules may define 

whether the data has to be transmitted in an encrypted or unencrypted mode within 
5 the internal networl<, on its way to a specific destination or within the public network. 

Since the gateway not only knows the recipient of the data, but may as well check the 
type of connection to be established or used and the identity of the sender, flexible 
access control rules can be defined for controlling the establishment and provision of 
10 connections. In particular, it can be avoided that the remote device achieves unlimited 
access to the intemal network or access to any internal information.. ■- . 

Moreover, the gateway may be adapted to communicate with a further gateway 
according to the present invention. For example, if the remote device is arranged In a 
15 further intemal network comprising such a gateway, the gateway of the intemal device 
may request the public key information including the remote device's gateway IP 
address firom the public key server 1 5. 

In the following, structure and purpose of data stored in the devices Illustrated in Fig. 1 
20 are described with respect to Fig..5 to 1 0. 

Figure 5 illustrates an example for a list of public key identifiers 52 and assodated 
internal addresses 53 as stored In the gateway. A column 51 Identifying a respective 
user Is additionally stored together with the relevant information. Accordingly, the user 

25 Alpha is connected to the internal network of the gateway and may be addressed via 
the internal network address iadr_A. Moreover, the public key of the user Alpha can 
be identified by means of the unique public key identifier A_ID. It should be noted that 
for example the user Gamma may correspond to a hardware unit such as an ftp- 
server having its own public key and being connected to the Internal network. 

30 Moreover, one user may have more than one intemal address assigned in the intemal 
network. Depending on the type of data to be transmitted, which corresponds to the 
type of connection, the different addresses may for example refer to the user's 
computer. (IP based) telephone, fax or ftp-server. 

35 A list of existing connections of the gateway, as illustrated In Fig. 6, stores an Identifier 
for the remote device 62. the internal address 63 of the intemal device as well as, for 




example, a temporary assfgned port 61 of the connection from the plurality of internal 
ports of the gateway. Additional information about ttie connection such as tiie time of. 
the last received or transmitted data packet or the type of connection may flirttier be 
stored in ti^is table. 



The tables illustrated in Figures 7-10 may be stored in the remote device 11 and/or 
tiie public key server 1 5 illustrated in Figure 1 . 

A list of user identifiers 71 and associated public key identifiers 72, as illustrated in 
Figure 7, may additionally be stored in. the ;g.atevi/axj2 of figure 1. In the list user 
Alpha is identified to have the public key with the public key identifier A_ID. 

Furthermore, as illustrated in Figure 8, the gateway information comprises a gateway 
identifier 81, a gateway IP address 82 and an optional data field 83 for the public key 
of the gateway. 

Moreover, the table illustrated in Figure 9 stores a user identifier 91 and a gateway 
identifier 93. These data fields may be mapped to the user Identifier 71 of Figure 7 . 
and tiie gateway Identifier 81 of Figure 8. Besides providing tiie reference betvveen 
user Identifiers and gateway identifiers, in the example Illustrated In Figure 9. the table 
stores different gateway IdentifierB associated to one user. The user Alpha depending 
on tiie value of a case identifier 92 is associated to one of gateway identifiers G1 - G3. 

As shown In Fig. 10. a corresponding list defining the different cases stores a case 
identifier 96 associated to a user identifier 94 or defined as a default case 
independentiy of a user identifier. The column determination rule 95 indicates how to 
determine whetiier one of tiie cases is fulfilled. In tills example tiie public key server 
15 or the client 11 are a^umed to check tiie cases In tiie order of the case values. 
Hence, on Saturdays and Sundays the public key server receiving a request for public 
key information for the user Alpha provides tiie gateway IP address IP_adr_;G1 as a 
destination address of data to be ti^nsmltted to the user Alpha. According to tiie first 
line of determination Rule 95 for the user Alpha case number one is Identified as the 
relevant case. Hence, for case number one and user Alpha the gateway identifier G1 
is identified In column 93 of Fig. 9. Finally, the corresponding gateway IP address is 
derived by the table illustrated in Figure 8. 




Accordingly, the second line In the table illustrated in Figure 10 defines that, if the 
• sender is a member of the company of the user Alpha, the gateway IP address of 
gateway G2 has to be used. The third line in Figure 10 represents a default case for 
5 the user Alpha indicating to use Gateway G3 in . all other situations not previously 
covered. 

As obvious from the above, a system according to the present invention may be 
formed by any combination of units 11, 12 and 16 illustrated in Figure 1. Hence, 
10 multiple gateways may exist and for example the remote device may be arranged in 
,an internal network of a second gateway. However, the. system . preferably only 
comprises a single public key server or server network in order to provide the public 
key information and the gateway IP addresses of the destinations via one source only. 

15 The internal network may be split into an extra-net part and an intra-net part The 
extra-net part of the network has world wide IP addresses assigned and is connected 
to the public network. The intra-net part operates on internal IP addresses, wherein 
the gateway is anranged between the extra-net part and the intra*net part. 
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Claims: 



30. Aug. 2002 



1 . A gateway (1 2) for connecting a public network to an internal network, the 
gateway comprising: 

a control unit (41) for controlling transmission of incoming and/or outgoing data 
between a remote device (11) in the public network and an internal device (13) in 
the intemal network; 

a public port (44) connected to the public network; and 
an intemal port (45) connected to the internal network; 



characterised by: 



a storage unit (42) storing a list of public key klentifiers and respectively 
assodated internal network addresses of intemal devices; and in that 



the control unit (41) is adapted for identifying a destination of the Incoming data, 
which are addressed to a public network address of the gateway,, by detennining 
an intemal network address of the intemal device (13) based on public key 
information included in the incoming data and the list of public key identifiers and 
associated intemal network addresses. 



2. The gateway according to daim 1 characterised in that the public key 

information in the incoming data includes the public key identifier or allows to 
detenmlne the public key Identifier. 



3. ITie gateway according to claim 1 or 2 characterised by further comprising an 
encryption/decryption unit (43) for decrypting the incoming data and/or 
encrypting the outgoing data, 

4. The gateway according to one of claims 1 to 3 characterised by further 
comprising an authentication unit (46) for verifying the authenticity of transmitted 
data, the intemal device, the remote device and/or used keys. 



5. The gateway according to one of claims 1 to 4 characterised in that the control 
unit (41) Is adapted to provide a connection path for a two-way communication 
between the remote device and the internal device. . . . .. 

6. The gateway according to one of claims 1 to 5 characterised by further 
comprising an access control unit (423) for determining whether the incoming or 
the outgoing data may be transmitted according to predefined access control 
rules. 

7. A system comprising the gateway (12) according to one of claims 1 to 6 and a 
remote device (11) addressing data intended for an internal device (13) of the 
internal network of the gateway (12) to the public network address of the 
gateway (12). 

The system according to claim 7 characterised in that the remote device (1 1) 
stores a plurality of gateway addresses for the destination and selects the public 
network address of the gateway (12) from the list of gateway addresses in 
accordance with predefined first gateway detemninatlon rules. 

The system according to claim 7 or 8 characterised by further comprising a 
public key information server (15) providing the public networi< address of the 
destination's gateway as a destination address upon request 

). The system according to one of claims 7 to 9 characterised in that the public 
key information server (15) stores a plurality of gateway addresses for at least 
one destination and selects the public network address of the gateway from the 
list of gateway addresses in accordance with second predefined rules. 

. A public key server comprising: 

storage means (35,36) for storing information in regard to a public key; 

a public key request interface (32) for receiving a request for public key 
infomnation stored in said public key infomiatlon storage means (37) and 
transmitting the requested information to a requesting device in response 
thereto; 




characterised in that 

said storage means (37) stores a public network address of a gateway as a. . 
destination address of data to be transmitted to a recipient, for gateways 
identifying the recipient by means of a public key Identifier included in the 
transmitted data and forwarding the data to the recipient; and 

said public key request interface (32) is adapted to transmit said stored public 
network gateway address to the requesting device. ^ 

12. A method for transmitting incoming and/or outgoing data between a remote 
device in a public network and an Internal device in an internal network, the 
method performed in a gateway of the intemal device comprising: 

transmitting the data between the remote device and the gateway of the intemal 
device; 

forwarding the incoming data from the gateway to the intemal device; 
characterised by 

storing a list of public key identifiers and associated internal network addresses; 
and 

identifying a destination of the incoming data, which are addressed to a public 
network address of the gateway, by determining an intemal network address of 
the intemal device based on public key information included in the incoming data 
and the stored list of public key identifiers and associated intemal network 
addresses. 
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Abrtnict: 3ft Aug. 2082 

A gateway for connecting a public network to an internal network is. provided. The 
gateway comprises a control unit for controlling transmission of incoming and/or 
s outgoing data between a remote device in the public network and an internal device 
in the internal network; a public port connected to the public network; 
an internal port connected to the internal network; and a storage unit storing a list of 
public key identifiers and respectively associated internal network addresses of 
intemal devices; wherein the control unit is adapted for identifying a destination of the 
10 incoming data, which are addressed to a public network address of the gateway, by 
determining an intemal network address of the internal device based on public key 
information included in the incoming data and the list of public key identifiers and 
associated intemal network addresses. 
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